Two Factor Authentication Framework Using OTP-SMS Based on Blockchain
Keywords:Two Factor Authentication, One Time Password, Blockchain, Smart Contract, Ethereum, Man in the Middle Attack, Third Party,
The authentication process is the main step which should be used to confirm that the user is the legitimate one and give the access only for him. Recently, Two Factor Authentication (2FA) schemes have been used by most of the applications to add an extra layer of security on the login process and solve the vulnerabilities of using only one factor for authentication. OTP-SMS is one of the most common methods which has been used in 2FA. However, attackers found a way to attack this method and gain an access to the user’s account without their permission. In this paper, we proposed a new 2FA framework for OTP-SMS method to prevent different attacks, mainly Man In The Middle (MITM) attack and third party attack. The proposed framework is based on the use of Blockchain technology, which add more security and better environment for authentication process. The proposed framework uses an encrypted OTP, which generated by smart contract and uses also its hash value to send it to the application/website to complete the authentication process. We introduced a comparison between our proposed framework and other two frameworks which uses Blockchain to secure OTP-SMS. Our framework found to be secure against MITM and third party attacks and the computation time and complexity are less than other frameworks.
(1) R. Gupta, Hands-on cybersecurity with blockchain: implement DDoS protection, PKI-based identity, 2FA, and DNS security using blockchain. 2018.
(2) A. Dmitrienko, C. Liebchen, C. Rossow, and A.-R. Sadeghi, “Security Analysis of Mobile Two-Factor Authentication Schemes,” vol. 18, no. 4, p. 24, 2014.
(3) “Setup two-factor authentication with OTP sent as SMS.” [Online]. Available: http://www.sms-integration.com/setup-two-factor-authentication-with-otp-sent-as-sms-80.html. [Accessed: 30-Mar-2019].
(4) “Do two-factor authentication vulnerabilities outweigh the benefits?,” SearchSecurity. [Online]. Available: https://searchsecurity.techtarget.com/answer/Do-two-factor-authentication-vulnerabilities-outweigh-the-
benefits. [Accessed: 18-Mar-2019].
(5) A. Jesudoss and N. P. Subramaniam, “A Survey on Authentication Attacks and Countermeasures in A Distributed Environment,” Indian J. Comput. Sci. Eng. IJCSE, vol. 5, no. 2, pp. 71–77, 2014.
(6) S. Certic, “Two-Factor Authentication Vulnerabilities,” SSRN Electron. J., 2018.
(7) “What is MITM (Man in the Middle) Attack.” [Online]. Available: https://www.incapsula.com/web-application-security/man-in-the-middle-mitm.html. [Accessed: 19-Mar-2019].
(8) C. Onwubiko and A. P. Lenaghan, “Managing Security Threats and Vulnerabilities for Small to Medium Enterprises,” in 2007 IEEE Intelligence and Security Informatics, 2007, pp. 244–249.
(9) “Man in the Middle Attack | How Can You Prevent MITM Attack?,” Comodo Securebox. [Online]. Available: https://securebox.comodo.com/ssl-sniffing/man-in-the-middle-attack. [Accessed: 30-Mar-2019].
(10) I. Dacosta, S. Chakradeo, M. Ahamad, and P. Traynor, “One-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials,” Georgia Institute of Technology, Technical Report, 2011.
(11) “Five Most Common Security Attacks on Two-Factor Authentication.” [Online]. Available: https://www.itbusinessedge.com/slideshows/five-most-common-security-attacks-on-two-factor-authentication.html. [Accessed: 18-Mar-2019].
(12) S. Shankland, “Why should you care about blockchain? It’s the ultimate trust builder,” CNET. [Online]. Available: https://www.cnet.com/news/blockchain-explained-builds-trust-when-you-need-it-most/. [Accessed: 30-Mar-2019].
(13) Z. Gao et al., “Blockchain-based Identity Management with Mobile Device,” in Proceedings of the 1st Workshop on Cryptocurrencies and Blockchains for Distributed Systems - CryBlock’18, Munich, Germany, 2018, pp. 66–70.
(14) C. Lin, D. He, X. Huang, K.-K. R. Choo, and A. V. Vasilakos, “BSeIn: A blockchain-based secure mutual authentication with fine-grained access control system for industry 4.0,” J. Netw. Comput. Appl., vol. 116, pp. 42–52, Aug. 2018.
(15) I. Homoliak, D. Breitenbacher, A. Binder, and P. Szalachowski, “An Air-Gapped 2-Factor Authentication for Smart-Contract Wallets,” ArXiv181203598 Cs, Dec. 2018.
(16) W.-S. Park, D.-Y. Hwang, and K.-H. Kim, “A TOTP-Based Two Factor Authentication Scheme for Hyperledger Fabric Blockchain,” in 2018 Tenth International Conference on Ubiquitous and Future Networks (ICUFN), Prague, 2018, pp. 817–819.
(17) L. Wu, X. Du, W. Wang, and B. Lin, “An Out-of-band Authentication Scheme for Internet of Things Using Blockchain Technology,” in 2018 International Conference on Computing, Networking and Communications (ICNC), Maui, HI, 2018, pp. 769–773.